npm - @openparachute/agent - Versions diffs - 0.1.0 - Mend

@openparachute/agent 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (501) hide show

package/.claude/scheduled_tasks.lock +1 -0
package/.claude/settings.json +5 -0
package/.claude/skills/add-atomic-chat-tool/SKILL.md +243 -0
package/.claude/skills/add-atomic-chat-tool/atomic-chat-mcp-stdio.ts +229 -0
package/.claude/skills/add-codex/SKILL.md +161 -0
package/.claude/skills/add-dashboard/SKILL.md +138 -0
package/.claude/skills/add-dashboard/resources/dashboard-pusher.ts +495 -0
package/.claude/skills/add-emacs/SKILL.md +296 -0
package/.claude/skills/add-gcal-tool/SKILL.md +210 -0
package/.claude/skills/add-gchat/REMOVE.md +6 -0
package/.claude/skills/add-gchat/SKILL.md +92 -0
package/.claude/skills/add-gchat/VERIFY.md +3 -0
package/.claude/skills/add-github/REMOVE.md +6 -0
package/.claude/skills/add-github/SKILL.md +148 -0
package/.claude/skills/add-github/VERIFY.md +3 -0
package/.claude/skills/add-gmail-tool/SKILL.md +229 -0
package/.claude/skills/add-imessage/REMOVE.md +6 -0
package/.claude/skills/add-imessage/SKILL.md +113 -0
package/.claude/skills/add-imessage/VERIFY.md +3 -0
package/.claude/skills/add-karpathy-llm-wiki/SKILL.md +110 -0
package/.claude/skills/add-karpathy-llm-wiki/llm-wiki.md +75 -0
package/.claude/skills/add-linear/REMOVE.md +6 -0
package/.claude/skills/add-linear/SKILL.md +168 -0
package/.claude/skills/add-linear/VERIFY.md +3 -0
package/.claude/skills/add-macos-statusbar/SKILL.md +133 -0
package/.claude/skills/add-macos-statusbar/add/src/statusbar.swift +147 -0
package/.claude/skills/add-matrix/REMOVE.md +6 -0
package/.claude/skills/add-matrix/SKILL.md +148 -0
package/.claude/skills/add-matrix/VERIFY.md +3 -0
package/.claude/skills/add-ollama-provider/SKILL.md +179 -0
package/.claude/skills/add-ollama-tool/SKILL.md +193 -0
package/.claude/skills/add-opencode/SKILL.md +229 -0
package/.claude/skills/add-parallel/SKILL.md +290 -0
package/.claude/skills/add-resend/REMOVE.md +6 -0
package/.claude/skills/add-resend/SKILL.md +93 -0
package/.claude/skills/add-resend/VERIFY.md +3 -0
package/.claude/skills/add-signal/REMOVE.md +13 -0
package/.claude/skills/add-signal/SKILL.md +318 -0
package/.claude/skills/add-signal/VERIFY.md +5 -0
package/.claude/skills/add-slack/REMOVE.md +6 -0
package/.claude/skills/add-slack/SKILL.md +112 -0
package/.claude/skills/add-slack/VERIFY.md +3 -0
package/.claude/skills/add-teams/REMOVE.md +6 -0
package/.claude/skills/add-teams/SKILL.md +207 -0
package/.claude/skills/add-teams/VERIFY.md +3 -0
package/.claude/skills/add-vercel/SKILL.md +147 -0
package/.claude/skills/add-vercel/container-skills/vercel-cli/SKILL.md +103 -0
package/.claude/skills/add-webex/REMOVE.md +6 -0
package/.claude/skills/add-webex/SKILL.md +88 -0
package/.claude/skills/add-webex/VERIFY.md +3 -0
package/.claude/skills/add-wechat/REMOVE.md +49 -0
package/.claude/skills/add-wechat/SKILL.md +170 -0
package/.claude/skills/add-wechat/scripts/wire-dm.ts +172 -0
package/.claude/skills/add-whatsapp/SKILL.md +264 -0
package/.claude/skills/add-whatsapp-cloud/REMOVE.md +6 -0
package/.claude/skills/add-whatsapp-cloud/SKILL.md +95 -0
package/.claude/skills/add-whatsapp-cloud/VERIFY.md +3 -0
package/.claude/skills/claw/SKILL.md +131 -0
package/.claude/skills/claw/scripts/claw +374 -0
package/.claude/skills/convert-to-apple-container/SKILL.md +212 -0
package/.claude/skills/customize/SKILL.md +110 -0
package/.claude/skills/debug/SKILL.md +349 -0
package/.claude/skills/get-qodo-rules/SKILL.md +122 -0
package/.claude/skills/get-qodo-rules/references/output-format.md +41 -0
package/.claude/skills/get-qodo-rules/references/pagination.md +33 -0
package/.claude/skills/get-qodo-rules/references/repository-scope.md +26 -0
package/.claude/skills/init-first-agent/SKILL.md +120 -0
package/.claude/skills/init-onecli/SKILL.md +270 -0
package/.claude/skills/manage-channels/SKILL.md +87 -0
package/.claude/skills/manage-mounts/SKILL.md +47 -0
package/.claude/skills/migrate-from-openclaw/MIGRATE_CRONS.md +100 -0
package/.claude/skills/migrate-from-openclaw/SKILL.md +447 -0
package/.claude/skills/migrate-from-openclaw/scripts/discover-openclaw.ts +734 -0
package/.claude/skills/migrate-from-openclaw/scripts/extract-channel-credentials.ts +476 -0
package/.claude/skills/migrate-nanoclaw/SKILL.md +484 -0
package/.claude/skills/migrate-nanoclaw/diagnostics.md +51 -0
package/.claude/skills/qodo-pr-resolver/SKILL.md +326 -0
package/.claude/skills/qodo-pr-resolver/resources/providers.md +329 -0
package/.claude/skills/update-nanoclaw/SKILL.md +243 -0
package/.claude/skills/update-nanoclaw/diagnostics.md +48 -0
package/.claude/skills/update-skills/SKILL.md +130 -0
package/.claude/skills/use-native-credential-proxy/SKILL.md +167 -0
package/.claude/skills/x-integration/SKILL.md +417 -0
package/.claude/skills/x-integration/agent.ts +243 -0
package/.claude/skills/x-integration/host.ts +155 -0
package/.claude/skills/x-integration/lib/browser.ts +148 -0
package/.claude/skills/x-integration/lib/config.ts +62 -0
package/.claude/skills/x-integration/scripts/like.ts +56 -0
package/.claude/skills/x-integration/scripts/post.ts +66 -0
package/.claude/skills/x-integration/scripts/quote.ts +80 -0
package/.claude/skills/x-integration/scripts/reply.ts +74 -0
package/.claude/skills/x-integration/scripts/retweet.ts +62 -0
package/.claude/skills/x-integration/scripts/setup.ts +87 -0
package/.github/CODEOWNERS +10 -0
package/.github/PULL_REQUEST_TEMPLATE.md +18 -0
package/.github/workflows/bump-version.yml +35 -0
package/.github/workflows/ci.yml +39 -0
package/.github/workflows/label-pr.yml +40 -0
package/.github/workflows/update-tokens.yml +43 -0
package/.husky/pre-commit +1 -0
package/.mcp.json +3 -0
package/.nvmrc +1 -0
package/.parachute/module.json +14 -0
package/.prettierrc +4 -0
package/CHANGELOG.md +215 -0
package/CLAUDE.md +307 -0
package/CODE_OF_CONDUCT.md +128 -0
package/CONTRIBUTING.md +159 -0
package/CONTRIBUTORS.md +26 -0
package/LICENSE +21 -0
package/README.md +190 -0
package/README_ja.md +194 -0
package/README_zh.md +194 -0
package/assets/nanoclaw-favicon.png +0 -0
package/assets/nanoclaw-icon.png +0 -0
package/assets/nanoclaw-logo-dark.png +0 -0
package/assets/nanoclaw-logo.png +0 -0
package/assets/nanoclaw-profile.jpeg +0 -0
package/assets/nanoclaw-sales.png +0 -0
package/assets/social-preview.jpg +0 -0
package/config-examples/mount-allowlist.json +25 -0
package/container/.dockerignore +2 -0
package/container/CLAUDE.md +21 -0
package/container/Dockerfile +121 -0
package/container/agent-runner/bun.lock +243 -0
package/container/agent-runner/package.json +22 -0
package/container/agent-runner/scripts/sdk-signal-probe.ts +169 -0
package/container/agent-runner/src/config.ts +55 -0
package/container/agent-runner/src/db/connection.ts +267 -0
package/container/agent-runner/src/db/index.ts +20 -0
package/container/agent-runner/src/db/messages-in.ts +138 -0
package/container/agent-runner/src/db/messages-out.ts +143 -0
package/container/agent-runner/src/db/session-routing.ts +30 -0
package/container/agent-runner/src/db/session-state.test.ts +100 -0
package/container/agent-runner/src/db/session-state.ts +79 -0
package/container/agent-runner/src/destinations.ts +135 -0
package/container/agent-runner/src/formatter.test.ts +167 -0
package/container/agent-runner/src/formatter.ts +260 -0
package/container/agent-runner/src/index.ts +110 -0
package/container/agent-runner/src/integration.test.ts +121 -0
package/container/agent-runner/src/mcp-tools/agents.instructions.md +26 -0
package/container/agent-runner/src/mcp-tools/agents.ts +66 -0
package/container/agent-runner/src/mcp-tools/core.instructions.md +27 -0
package/container/agent-runner/src/mcp-tools/core.ts +262 -0
package/container/agent-runner/src/mcp-tools/index.ts +22 -0
package/container/agent-runner/src/mcp-tools/interactive.instructions.md +22 -0
package/container/agent-runner/src/mcp-tools/interactive.ts +169 -0
package/container/agent-runner/src/mcp-tools/scheduling.instructions.md +40 -0
package/container/agent-runner/src/mcp-tools/scheduling.ts +299 -0
package/container/agent-runner/src/mcp-tools/self-mod.instructions.md +25 -0
package/container/agent-runner/src/mcp-tools/self-mod.ts +120 -0
package/container/agent-runner/src/mcp-tools/server.ts +54 -0
package/container/agent-runner/src/mcp-tools/types.ts +6 -0
package/container/agent-runner/src/poll-loop.test.ts +248 -0
package/container/agent-runner/src/poll-loop.ts +437 -0
package/container/agent-runner/src/providers/claude.ts +379 -0
package/container/agent-runner/src/providers/factory.test.ts +19 -0
package/container/agent-runner/src/providers/factory.ts +13 -0
package/container/agent-runner/src/providers/index.ts +6 -0
package/container/agent-runner/src/providers/mock.ts +77 -0
package/container/agent-runner/src/providers/provider-registry.ts +33 -0
package/container/agent-runner/src/providers/types.ts +82 -0
package/container/agent-runner/src/scheduling/task-script.ts +121 -0
package/container/agent-runner/src/timezone.test.ts +93 -0
package/container/agent-runner/src/timezone.ts +107 -0
package/container/agent-runner/tsconfig.json +14 -0
package/container/build.sh +48 -0
package/container/entrypoint.sh +16 -0
package/container/skills/agent-browser/SKILL.md +159 -0
package/container/skills/frontend-engineer/SKILL.md +157 -0
package/container/skills/self-customize/SKILL.md +87 -0
package/container/skills/slack-formatting/SKILL.md +94 -0
package/container/skills/vercel-cli/SKILL.md +111 -0
package/container/skills/welcome/SKILL.md +85 -0
package/docs/APPLE-CONTAINER-NETWORKING.md +90 -0
package/docs/BRANCH-FORK-MAINTENANCE.md +81 -0
package/docs/README.md +25 -0
package/docs/SDK_DEEP_DIVE.md +643 -0
package/docs/SECURITY.md +162 -0
package/docs/agent-runner-details.md +749 -0
package/docs/api-details.md +365 -0
package/docs/architecture-diagram.html +422 -0
package/docs/architecture-diagram.md +215 -0
package/docs/architecture.md +751 -0
package/docs/audit/2026-04-30-channel-endpoint-audit.md +36 -0
package/docs/build-and-runtime.md +80 -0
package/docs/cross-mount-stress/README.md +112 -0
package/docs/cross-mount-stress/container-writer-retry.mjs +55 -0
package/docs/cross-mount-stress/container-writer-slow.mjs +42 -0
package/docs/cross-mount-stress/container-writer.mjs +47 -0
package/docs/cross-mount-stress/host-writer-retry.mjs +55 -0
package/docs/cross-mount-stress/host-writer-slow.mjs +43 -0
package/docs/cross-mount-stress/host-writer.mjs +47 -0
package/docs/db-central.md +316 -0
package/docs/db-session.md +183 -0
package/docs/db.md +119 -0
package/docs/design/2026-04-29-vault-management-ui.md +231 -0
package/docs/design/2026-04-30-channel-wiring-rework.md +234 -0
package/docs/design/2026-05-01-channel-wiring-approvals-deep-dive.md +272 -0
package/docs/design/2026-05-02-channel-policy-and-approval-routing.md +250 -0
package/docs/docker-sandboxes.md +359 -0
package/docs/isolation-model.md +88 -0
package/docs/ollama.md +79 -0
package/docs/parachute-integration.md +109 -0
package/docs/post-night-rebirth-reflections.md +151 -0
package/eslint.config.js +32 -0
package/package.json +54 -0
package/pnpm-workspace.yaml +8 -0
package/repo-tokens/README.md +113 -0
package/repo-tokens/action.yml +186 -0
package/repo-tokens/badge.svg +23 -0
package/repo-tokens/examples/green.svg +14 -0
package/repo-tokens/examples/red.svg +14 -0
package/repo-tokens/examples/yellow-green.svg +14 -0
package/repo-tokens/examples/yellow.svg +14 -0
package/scripts/chat.ts +101 -0
package/scripts/cleanup-sessions.sh +150 -0
package/scripts/init-cli-agent.ts +171 -0
package/scripts/init-first-agent.ts +377 -0
package/scripts/parachute.ts +158 -0
package/scripts/run-migrations.ts +105 -0
package/scripts/sanity-live-poll.ts +95 -0
package/scripts/seed-discord.ts +79 -0
package/scripts/test-v2-agent.ts +106 -0
package/scripts/test-v2-channel-e2e.ts +265 -0
package/scripts/test-v2-host.ts +184 -0
package/src/channels/adapter.ts +214 -0
package/src/channels/ask-question.ts +46 -0
package/src/channels/channel-registry.test.ts +421 -0
package/src/channels/channel-registry.ts +313 -0
package/src/channels/chat-sdk-bridge.test.ts +84 -0
package/src/channels/chat-sdk-bridge.ts +652 -0
package/src/channels/cli.ts +276 -0
package/src/channels/discord.ts +90 -0
package/src/channels/index.ts +17 -0
package/src/channels/telegram-markdown-sanitize.test.ts +78 -0
package/src/channels/telegram-markdown-sanitize.ts +55 -0
package/src/channels/telegram-pairing.test.ts +254 -0
package/src/channels/telegram-pairing.ts +339 -0
package/src/channels/telegram.ts +279 -0
package/src/channels/trust-hint.test.ts +48 -0
package/src/channels/trust-hint.ts +75 -0
package/src/claude-md-compose.migrate.test.ts +64 -0
package/src/claude-md-compose.ts +205 -0
package/src/command-gate.ts +63 -0
package/src/config.test.ts +93 -0
package/src/config.ts +108 -0
package/src/container-config.ts +167 -0
package/src/container-runner.test.ts +32 -0
package/src/container-runner.ts +576 -0
package/src/container-runtime.test.ts +169 -0
package/src/container-runtime.ts +92 -0
package/src/db/_bun-sqlite-shim.ts +88 -0
package/src/db/agent-activity.test.ts +155 -0
package/src/db/agent-activity.ts +121 -0
package/src/db/agent-groups.ts +77 -0
package/src/db/connection.migrate.test.ts +143 -0
package/src/db/connection.ts +224 -0
package/src/db/db-v2.test.ts +440 -0
package/src/db/dropped-messages.ts +44 -0
package/src/db/index.ts +40 -0
package/src/db/messaging-groups.ts +252 -0
package/src/db/migrations/001-initial.ts +112 -0
package/src/db/migrations/002-chat-sdk-state.ts +36 -0
package/src/db/migrations/008-dropped-messages.ts +27 -0
package/src/db/migrations/009-drop-pending-credentials.ts +13 -0
package/src/db/migrations/010-engage-modes.ts +103 -0
package/src/db/migrations/011-pending-sender-approvals.ts +40 -0
package/src/db/migrations/012-channel-registration.ts +48 -0
package/src/db/migrations/013-approval-render-metadata.ts +27 -0
package/src/db/migrations/014-secrets.ts +44 -0
package/src/db/migrations/015-secrets-drop-host-pattern.ts +18 -0
package/src/db/migrations/016-secret-assignments.ts +30 -0
package/src/db/migrations/017-agent-activity.ts +40 -0
package/src/db/migrations/018-oauth-app-configs.ts +34 -0
package/src/db/migrations/019-oauth-app-connections.ts +48 -0
package/src/db/migrations/020-agent-app-connections.ts +28 -0
package/src/db/migrations/021-pending-oauth-states.ts +35 -0
package/src/db/migrations/022-app-connections-provider.ts +25 -0
package/src/db/migrations/023-agent-group-secret-mode.test.ts +124 -0
package/src/db/migrations/023-agent-group-secret-mode.ts +65 -0
package/src/db/migrations/024-collapse-approvals.test.ts +249 -0
package/src/db/migrations/024-collapse-approvals.ts +182 -0
package/src/db/migrations/025-secret-mode-check.test.ts +155 -0
package/src/db/migrations/025-secret-mode-check.ts +49 -0
package/src/db/migrations/026-user-dms-bot-id.test.ts +116 -0
package/src/db/migrations/026-user-dms-bot-id.ts +54 -0
package/src/db/migrations/027-provider-credentials.ts +41 -0
package/src/db/migrations/_test-helpers.ts +41 -0
package/src/db/migrations/index.ts +127 -0
package/src/db/migrations/module-agent-to-agent-destinations.ts +84 -0
package/src/db/migrations/module-approvals-pending-approvals.ts +42 -0
package/src/db/migrations/module-approvals-title-options.ts +40 -0
package/src/db/schema.ts +258 -0
package/src/db/session-db.test.ts +93 -0
package/src/db/session-db.ts +325 -0
package/src/db/sessions.ts +241 -0
package/src/delivery.test.ts +148 -0
package/src/delivery.ts +445 -0
package/src/env.ts +74 -0
package/src/group-folder.test.ts +35 -0
package/src/group-folder.ts +44 -0
package/src/group-init.ts +92 -0
package/src/host-core.test.ts +456 -0
package/src/host-sweep.test.ts +146 -0
package/src/host-sweep.ts +287 -0
package/src/index.ts +227 -0
package/src/install-slug.ts +33 -0
package/src/log.test.ts +81 -0
package/src/log.ts +117 -0
package/src/mcp/http.ts +72 -0
package/src/mcp/server.ts +92 -0
package/src/mcp/stdio.ts +51 -0
package/src/mcp/tools/activity.ts +88 -0
package/src/mcp/tools/agent-groups.ts +183 -0
package/src/mcp/tools/approvals.ts +122 -0
package/src/mcp/tools/channels.ts +199 -0
package/src/mcp/tools/index.ts +27 -0
package/src/mcp/tools/oauth.ts +48 -0
package/src/mcp/tools/secrets.ts +169 -0
package/src/mcp/tools/sessions.ts +135 -0
package/src/mcp/types.ts +51 -0
package/src/modules/agent-to-agent/agent-route.test.ts +46 -0
package/src/modules/agent-to-agent/agent-route.ts +223 -0
package/src/modules/agent-to-agent/create-agent.ts +127 -0
package/src/modules/agent-to-agent/db/agent-destinations.ts +135 -0
package/src/modules/agent-to-agent/index.ts +22 -0
package/src/modules/agent-to-agent/write-destinations.ts +59 -0
package/src/modules/approvals/agent.md +45 -0
package/src/modules/approvals/index.ts +21 -0
package/src/modules/approvals/picks.test.ts +291 -0
package/src/modules/approvals/primitive.ts +279 -0
package/src/modules/approvals/project.md +27 -0
package/src/modules/approvals/response-handler.ts +87 -0
package/src/modules/index.ts +24 -0
package/src/modules/interactive/agent.md +21 -0
package/src/modules/interactive/index.ts +69 -0
package/src/modules/interactive/project.md +12 -0
package/src/modules/mount-security/index.ts +448 -0
package/src/modules/mount-security/migrate.test.ts +91 -0
package/src/modules/permissions/access.ts +28 -0
package/src/modules/permissions/channel-approval.test.ts +389 -0
package/src/modules/permissions/channel-approval.ts +188 -0
package/src/modules/permissions/db/agent-group-members.ts +44 -0
package/src/modules/permissions/db/pending-channel-approvals.test.ts +86 -0
package/src/modules/permissions/db/pending-channel-approvals.ts +66 -0
package/src/modules/permissions/db/pending-sender-approvals.ts +60 -0
package/src/modules/permissions/db/user-dms.ts +58 -0
package/src/modules/permissions/db/user-roles.ts +85 -0
package/src/modules/permissions/db/users.ts +38 -0
package/src/modules/permissions/index.ts +421 -0
package/src/modules/permissions/permissions.test.ts +358 -0
package/src/modules/permissions/sender-approval.test.ts +470 -0
package/src/modules/permissions/sender-approval.ts +165 -0
package/src/modules/permissions/user-dm.ts +200 -0
package/src/modules/provider-credentials/db.ts +121 -0
package/src/modules/provider-credentials/index.ts +12 -0
package/src/modules/provider-credentials/spawn.test.ts +206 -0
package/src/modules/provider-credentials/spawn.ts +114 -0
package/src/modules/scheduling/actions.ts +113 -0
package/src/modules/scheduling/db.test.ts +282 -0
package/src/modules/scheduling/db.ts +148 -0
package/src/modules/scheduling/index.ts +34 -0
package/src/modules/scheduling/recurrence.test.ts +98 -0
package/src/modules/scheduling/recurrence.ts +54 -0
package/src/modules/self-mod/agent.md +30 -0
package/src/modules/self-mod/apply.ts +85 -0
package/src/modules/self-mod/index.ts +30 -0
package/src/modules/self-mod/project.md +39 -0
package/src/modules/self-mod/request.ts +91 -0
package/src/modules/typing/index.ts +165 -0
package/src/oauth/agent-app-connections.ts +103 -0
package/src/oauth/app-configs.test.ts +64 -0
package/src/oauth/app-configs.ts +114 -0
package/src/oauth/app-connections.test.ts +109 -0
package/src/oauth/app-connections.ts +178 -0
package/src/oauth/crypto.ts +56 -0
package/src/oauth/flow.ts +104 -0
package/src/oauth/providers/google.test.ts +38 -0
package/src/oauth/providers/google.ts +46 -0
package/src/oauth/providers/index.ts +48 -0
package/src/oauth/state-store.test.ts +54 -0
package/src/oauth/state-store.ts +93 -0
package/src/parachute/README.md +27 -0
package/src/parachute/create-agent.test.ts +83 -0
package/src/parachute/create-agent.ts +122 -0
package/src/parachute/group-status.test.ts +165 -0
package/src/parachute/group-status.ts +136 -0
package/src/parachute/types.ts +41 -0
package/src/parachute/vault-mcp.test.ts +251 -0
package/src/parachute/vault-mcp.ts +232 -0
package/src/platform-id.test.ts +104 -0
package/src/platform-id.ts +109 -0
package/src/providers/index.ts +6 -0
package/src/providers/provider-container-registry.ts +58 -0
package/src/response-registry.ts +45 -0
package/src/router.ts +530 -0
package/src/secrets/crypto.test.ts +45 -0
package/src/secrets/crypto.ts +55 -0
package/src/secrets/index.ts +355 -0
package/src/secrets/master-key.ts +70 -0
package/src/secrets/secrets.test.ts +354 -0
package/src/session-manager.migrate.test.ts +59 -0
package/src/session-manager.ts +433 -0
package/src/startup-bootstrap.test.ts +226 -0
package/src/startup-bootstrap.ts +207 -0
package/src/state-sqlite.ts +182 -0
package/src/timezone.test.ts +64 -0
package/src/timezone.ts +37 -0
package/src/types.ts +230 -0
package/src/web/auth.test.ts +335 -0
package/src/web/auth.ts +214 -0
package/src/web/discord-validate.test.ts +77 -0
package/src/web/discord-validate.ts +88 -0
package/src/web/hub-discovery.test.ts +98 -0
package/src/web/hub-discovery.ts +69 -0
package/src/web/routes/activity.ts +106 -0
package/src/web/routes/agent-provider.test.ts +282 -0
package/src/web/routes/agent-provider.ts +309 -0
package/src/web/routes/approvals.ts +185 -0
package/src/web/routes/apps.ts +434 -0
package/src/web/routes/channels-mg-detail.test.ts +324 -0
package/src/web/routes/channels-mga-detail.test.ts +425 -0
package/src/web/routes/channels.ts +489 -0
package/src/web/routes/oauth-providers.ts +42 -0
package/src/web/routes/secrets.test.ts +175 -0
package/src/web/routes/secrets.ts +282 -0
package/src/web/routes/sessions.ts +123 -0
package/src/web/routes/settings.test.ts +106 -0
package/src/web/routes/settings.ts +247 -0
package/src/web/routes/setup-status.ts +205 -0
package/src/web/routes/vaults.test.ts +389 -0
package/src/web/routes/vaults.ts +225 -0
package/src/web/server-version.test.ts +16 -0
package/src/web/server.ts +1003 -0
package/src/web/services-manifest.test.ts +120 -0
package/src/web/services-manifest.ts +61 -0
package/src/web/static-serve.test.ts +255 -0
package/src/web/static-serve.ts +104 -0
package/src/web/telegram-validate.test.ts +116 -0
package/src/web/telegram-validate.ts +107 -0
package/src/web/vault-proxy.test.ts +214 -0
package/src/web/vault-proxy.ts +120 -0
package/src/web/wire-channel.ts +181 -0
package/src/webhook-server.ts +134 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +18 -0
package/web/README.md +63 -0
package/web/ui/index.html +13 -0
package/web/ui/package.json +35 -0
package/web/ui/pnpm-lock.yaml +2164 -0
package/web/ui/scripts/verify-base.mjs +31 -0
package/web/ui/src/App.tsx +88 -0
package/web/ui/src/components/ActivityFeed.tsx +444 -0
package/web/ui/src/components/AgentGroupPicker.tsx +263 -0
package/web/ui/src/components/AgentProviderCards.tsx +220 -0
package/web/ui/src/components/CredentialForm.tsx +214 -0
package/web/ui/src/components/ScopeGrants.tsx +74 -0
package/web/ui/src/components/StatusDot.tsx +43 -0
package/web/ui/src/components/VaultPicker.tsx +127 -0
package/web/ui/src/components/setup/AdapterInstallStep.tsx +178 -0
package/web/ui/src/components/setup/AgentGroupStep.tsx +43 -0
package/web/ui/src/components/setup/ChannelPickStep.tsx +74 -0
package/web/ui/src/components/setup/DoneStep.tsx +49 -0
package/web/ui/src/components/setup/PrereqStep.tsx +129 -0
package/web/ui/src/components/setup/TestConnectionStep.tsx +108 -0
package/web/ui/src/components/setup/TestMessageStep.tsx +104 -0
package/web/ui/src/components/setup/WireChannelStep.tsx +166 -0
package/web/ui/src/components/setup/types.ts +105 -0
package/web/ui/src/lib/api.test.ts +410 -0
package/web/ui/src/lib/api.ts +1210 -0
package/web/ui/src/lib/auth.test.ts +139 -0
package/web/ui/src/lib/auth.ts +348 -0
package/web/ui/src/lib/channel-adapters.ts +136 -0
package/web/ui/src/main.tsx +19 -0
package/web/ui/src/routes/ApprovalsList.tsx +294 -0
package/web/ui/src/routes/Apps.tsx +613 -0
package/web/ui/src/routes/ChannelWireDetail.test.tsx +233 -0
package/web/ui/src/routes/ChannelWireDetail.tsx +403 -0
package/web/ui/src/routes/ChannelsList.tsx +158 -0
package/web/ui/src/routes/GroupDetail.tsx +755 -0
package/web/ui/src/routes/GroupList.tsx +187 -0
package/web/ui/src/routes/MessagingGroupDetail.test.tsx +233 -0
package/web/ui/src/routes/MessagingGroupDetail.tsx +306 -0
package/web/ui/src/routes/NewGroupWizard.tsx +390 -0
package/web/ui/src/routes/OAuthCallback.tsx +56 -0
package/web/ui/src/routes/SecretsList.tsx +921 -0
package/web/ui/src/routes/SessionsList.tsx +220 -0
package/web/ui/src/routes/SettingsAgentProvider.tsx +109 -0
package/web/ui/src/routes/SettingsApprovals.tsx +234 -0
package/web/ui/src/routes/SetupWizard.tsx +219 -0
package/web/ui/src/routes/VaultDetail.test.tsx +361 -0
package/web/ui/src/routes/VaultDetail.tsx +960 -0
package/web/ui/src/routes/VaultsList.tsx +295 -0
package/web/ui/src/routes/WireChannelPage.tsx +413 -0
package/web/ui/src/styles.css +608 -0
package/web/ui/src/test/setup.ts +23 -0
package/web/ui/src/vite-env.d.ts +10 -0
package/web/ui/tsconfig.json +20 -0
package/web/ui/vite.config.ts +34 -0
package/web/ui/vitest.config.ts +25 -0

package/web/ui/src/routes/VaultDetail.tsx ADDED Viewed

@@ -0,0 +1,960 @@
+/**
+ * /vaults/:name — vault management detail page (Phase 3 of paraclaw#38).
+ *
+ * Three sections:
+ *   1. Tokens table     — GET /api/vaults/:name/tokens, with Revoke confirm modal.
+ *   2. Attached groups  — derived from GET /api/vaults/:name, with Detach modal
+ *                          offering Keep token (default) and Detach + revoke.
+ *   3. Mint new token   — POST /api/vaults/:name/tokens, plaintext shown ONCE
+ *                          in a copy-card. Plaintext lives in component state
+ *                          only; never persisted, never logged.
+ *
+ * Auth model (Option C from the design doc): paraclaw forwards the operator's
+ * hub session JWT to the vault unmodified. The vault checks `vault:<name>:admin`
+ * itself; a 401/403 here means the operator hasn't consented to that narrow
+ * scope yet. Render an explicit "Grant access" CTA that calls
+ * `beginLogin([\`vault:\${name}:admin\`])` rather than auto-redirecting — the
+ * operator should see *why* they're being bounced back to the hub.
+ *
+ * Plaintext rules (loadbearing per design § Token rendering rules):
+ *   - Shown once on mint, in a copy-card with explicit copy button.
+ *   - Never round-tripped through localStorage / sessionStorage.
+ *   - Never re-rendered after the operator dismisses the card.
+ *   - If the operator dismisses without copying, surface a yellow recovery
+ *     banner pointing them at Revoke + re-mint.
+ */
+import { useCallback, useEffect, useRef, useState } from 'react';
+import { Link, useParams } from 'react-router-dom';
+import { formatRelative } from '../components/StatusDot.tsx';
+import {
+  HttpError,
+  detachVault,
+  getVaultDetail,
+  listVaultTokens,
+  mintVaultToken,
+  revokeVaultToken,
+  type MintedVaultToken,
+  type VaultAttachedGroup,
+  type VaultDetail as VaultDetailData,
+  type VaultToken,
+} from '../lib/api.ts';
+import { beginLogin } from '../lib/auth.ts';
+const BROAD_SCOPES = ['vault:read', 'vault:write', 'vault:admin'] as const;
+interface LoadedState {
+  kind: 'ok';
+  detail: VaultDetailData;
+  tokens: VaultToken[];
+}
+interface AuthGateState {
+  kind: 'auth-gate';
+  detail: VaultDetailData;
+  /** What the vault returned — we surface the message verbatim so the operator can debug. */
+  message: string;
+}
+type State =
+  | { kind: 'loading' }
+  | LoadedState
+  | AuthGateState
+  | { kind: 'error'; message: string };
+export function VaultDetail() {
+  const { name: rawName } = useParams<{ name: string }>();
+  const name = rawName ?? '';
+  const [state, setState] = useState<State>({ kind: 'loading' });
+  const [reloadKey, setReloadKey] = useState(0);
+  const reload = useCallback(() => setReloadKey((k) => k + 1), []);
+  useEffect(() => {
+    if (!name) return;
+    let cancelled = false;
+    // Skip the loading-skeleton transition on reloads — keep the existing
+    // LoadedView mounted so its ephemeral local state (mintedDismissed,
+    // pre-targeted modals, etc.) survives the round-trip. Initial mount
+    // still shows the skeleton because state starts as { kind: 'loading' }.
+    setState((prev) =>
+      prev.kind === 'ok' || prev.kind === 'auth-gate' ? prev : { kind: 'loading' },
+    );
+    (async () => {
+      // Load detail (agent:read) and tokens (agent:admin + vault:<name>:admin)
+      // in parallel. The detail call always succeeds for an operator with
+      // a valid session JWT; the tokens call may 401/403 vault-side if the
+      // operator hasn't consented to the narrow vault scope yet.
+      const [detailResult, tokensResult] = await Promise.allSettled([
+        getVaultDetail(name),
+        listVaultTokens(name),
+      ]);
+      if (cancelled) return;
+      if (detailResult.status === 'rejected') {
+        const err = detailResult.reason;
+        const message = err instanceof Error ? err.message : String(err);
+        setState({ kind: 'error', message });
+        return;
+      }
+      if (tokensResult.status === 'rejected') {
+        const err = tokensResult.reason;
+        if (err instanceof HttpError && (err.status === 401 || err.status === 403)) {
+          setState({ kind: 'auth-gate', detail: detailResult.value, message: err.message });
+          return;
+        }
+        const message = err instanceof Error ? err.message : String(err);
+        setState({ kind: 'error', message });
+        return;
+      }
+      setState({ kind: 'ok', detail: detailResult.value, tokens: tokensResult.value });
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, [name, reloadKey]);
+  if (!name) {
+    return (
+      <div>
+        <Link to="/vaults" className="muted">
+          ← All vaults
+        </Link>
+        <div className="empty">No vault name in URL.</div>
+      </div>
+    );
+  }
+  if (state.kind === 'loading') {
+    return (
+      <div>
+        <Link to="/vaults" className="muted">
+          ← All vaults
+        </Link>
+        <div className="skeleton skeleton-heading" style={{ marginTop: '1rem' }} />
+        <div className="section">
+          <div className="skeleton skeleton-line" style={{ width: '30%' }} />
+          <div className="skeleton skeleton-line" />
+          <div className="skeleton skeleton-line" style={{ width: '70%' }} />
+        </div>
+      </div>
+    );
+  }
+  if (state.kind === 'error') {
+    return (
+      <div>
+        <Link to="/vaults" className="muted">
+          ← All vaults
+        </Link>
+        <h2>{name}</h2>
+        <div className="error-banner">
+          Couldn't load vault: <code>{state.message}</code>
+        </div>
+        <div className="actions" style={{ marginTop: '1rem' }}>
+          <button onClick={reload}>Retry</button>
+        </div>
+      </div>
+    );
+  }
+  if (state.kind === 'auth-gate') {
+    return <AuthGateView name={name} detail={state.detail} message={state.message} />;
+  }
+  return <LoadedView name={name} state={state} reload={reload} />;
+}
+function AuthGateView({
+  name,
+  detail,
+  message,
+}: {
+  name: string;
+  detail: VaultDetailData;
+  message: string;
+}) {
+  // Click → fire OAuth flow with the narrow per-vault admin scope appended.
+  // beginLogin never returns control (it does window.location.replace); we
+  // wrap in an async function only so the test harness can await the call.
+  const onGrant = async () => {
+    await beginLogin([`vault:${name}:admin`]);
+  };
+  return (
+    <div>
+      <Link to="/vaults" className="muted">
+        ← All vaults
+      </Link>
+      <h2>
+        <code>{name}</code>{' '}
+        <span className="tag muted" title="Vault version reported by the hub">
+          v{detail.vault.version}
+        </span>
+      </h2>
+      <div className="section">
+        <h3>Additional consent required</h3>
+        <p>
+          Managing tokens for <code>{name}</code> requires the per-vault scope{' '}
+          <code>vault:{name}:admin</code>. Your current session doesn't carry it. The
+          hub will prompt you to consent — you'll come right back here.
+        </p>
+        <p className="dim">
+          Vault said: <code>{message}</code>
+        </p>
+        <div className="actions">
+          <button onClick={() => void onGrant()}>Grant access</button>
+          <Link to="/vaults" className="secondary">
+            Back to vaults
+          </Link>
+        </div>
+      </div>
+    </div>
+  );
+}
+interface LoadedViewProps {
+  name: string;
+  state: LoadedState;
+  reload: () => void;
+}
+function LoadedView({ name, state, reload }: LoadedViewProps) {
+  const [flash, setFlash] = useState<{ kind: 'ok' | 'error'; text: string } | null>(null);
+  const [revokeTarget, setRevokeTarget] = useState<VaultToken | null>(null);
+  const [detachTarget, setDetachTarget] = useState<VaultAttachedGroup | null>(null);
+  const [minted, setMinted] = useState<MintedVaultToken | null>(null);
+  const [mintedCopied, setMintedCopied] = useState(false);
+  // Only id + label here — the full MintedVaultToken carries the plaintext,
+  // and we only need the label for display + id to look up the live
+  // VaultToken if the operator clicks the inline 'Revoke' shortcut.
+  const [mintedDismissed, setMintedDismissed] = useState<{ id: string; label: string } | null>(null);
+  const onMinted = (token: MintedVaultToken) => {
+    setMinted(token);
+    setMintedCopied(false);
+    setMintedDismissed(null);
+    setFlash(null);
+  };
+  const onCloseMinted = (copied: boolean) => {
+    if (minted && !copied) {
+      setMintedDismissed({ id: minted.id, label: minted.label });
+    }
+    setMinted(null);
+    setMintedCopied(false);
+    reload();
+  };
+  // Derive the live VaultToken for the banner's inline Revoke CTA. Computed
+  // outside the handler so the JSX can disable the button + show a tooltip
+  // when the lookup misses (race vs. reload, or vault renamed the id post-
+  // mint). Without this guard, clicking the button is inert and the operator
+  // sees no feedback.
+  const liveDismissedToken = mintedDismissed
+    ? (state.tokens.find((t) => t.id === mintedDismissed.id) ?? null)
+    : null;
+  const onRevokeFromBanner = () => {
+    if (liveDismissedToken) {
+      setRevokeTarget(liveDismissedToken);
+      setMintedDismissed(null);
+    }
+  };
+  return (
+    <div>
+      <Link to="/vaults" className="muted">
+        ← All vaults
+      </Link>
+      <h2 style={{ display: 'flex', alignItems: 'center', gap: '0.6rem', flexWrap: 'wrap' }}>
+        <code>{name}</code>
+        <span className="tag muted" title="Vault version reported by the hub">
+          v{state.detail.vault.version}
+        </span>
+      </h2>
+      <div className="dim" style={{ marginTop: '-0.5rem', wordBreak: 'break-all' }}>
+        <code>{state.detail.vault.url}</code>
+      </div>
+      {flash && (
+        <div className={flash.kind === 'ok' ? 'status-banner' : 'error-banner'} style={{ marginTop: '1rem' }}>
+          {flash.text}
+        </div>
+      )}
+      {mintedDismissed && (
+        <div className="warn-banner" style={{ marginTop: '1rem' }}>
+          Token <code>{mintedDismissed.label}</code> was minted but you didn't copy the
+          plaintext. The plaintext is gone — vault stores only a hash. Revoke this token now and
+          mint a new one if you need access.
+          <div className="actions" style={{ marginTop: '0.5rem' }}>
+            <button
+              type="button"
+              className="danger"
+              onClick={onRevokeFromBanner}
+              disabled={!liveDismissedToken}
+              title={
+                liveDismissedToken
+                  ? undefined
+                  : 'Token no longer in current list — see tokens table below'
+              }
+            >
+              Revoke {mintedDismissed.label}
+            </button>
+            <button
+              type="button"
+              className="secondary"
+              onClick={() => setMintedDismissed(null)}
+            >
+              Dismiss
+            </button>
+          </div>
+        </div>
+      )}
+      <TokensSection
+        name={name}
+        tokens={state.tokens}
+        onRevokeClick={setRevokeTarget}
+      />
+      <AttachedGroupsSection
+        attachedGroups={state.detail.attachedGroups}
+        onDetachClick={setDetachTarget}
+      />
+      <MintSection
+        name={name}
+        defaultLabel={`agent-${name}`}
+        onMinted={onMinted}
+        onError={(text) => setFlash({ kind: 'error', text })}
+      />
+      {minted && (
+        <MintedTokenCard
+          token={minted}
+          copied={mintedCopied}
+          onCopied={() => setMintedCopied(true)}
+          onClose={() => onCloseMinted(mintedCopied)}
+        />
+      )}
+      {revokeTarget && (
+        <RevokeModal
+          name={name}
+          token={revokeTarget}
+          onClose={(revoked) => {
+            setRevokeTarget(null);
+            if (revoked) {
+              setFlash({ kind: 'ok', text: `Token ${revokeTarget.label} revoked.` });
+              reload();
+            }
+          }}
+          onError={(text) => setFlash({ kind: 'error', text })}
+        />
+      )}
+      {detachTarget && (
+        <DetachModal
+          vaultName={name}
+          target={detachTarget}
+          onClose={(result) => {
+            setDetachTarget(null);
+            if (result) {
+              const parts = [`Detached ${result.group} from vault.`];
+              if (result.revokedTokenId) parts.push(`Token ${detachTarget.tokenLabel} revoked.`);
+              else if (result.revokeError)
+                parts.push(`Detach succeeded but revoke failed: ${result.revokeError}`);
+              setFlash({
+                kind: result.revokeError ? 'error' : 'ok',
+                text: parts.join(' '),
+              });
+              reload();
+            }
+          }}
+          onError={(text) => setFlash({ kind: 'error', text })}
+        />
+      )}
+    </div>
+  );
+}
+// --- Tokens section -------------------------------------------------------
+function TokensSection({
+  name: _name,
+  tokens,
+  onRevokeClick,
+}: {
+  name: string;
+  tokens: VaultToken[];
+  onRevokeClick: (t: VaultToken) => void;
+}) {
+  return (
+    <div className="section" style={{ marginTop: '1.5rem' }}>
+      <h3>Tokens ({tokens.length})</h3>
+      {tokens.length === 0 ? (
+        <p className="muted">No tokens minted for this vault yet. Use the form below to mint one.</p>
+      ) : (
+        <div>
+          {tokens.map((t) => (
+            <TokenRow key={t.id} token={t} onRevoke={() => onRevokeClick(t)} />
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}
+function TokenRow({ token, onRevoke }: { token: VaultToken; onRevoke: () => void }) {
+  const scopes = resolveScopes(token);
+  const isLegacy = !token.scopes && !!token.permission;
+  return (
+    <div
+      style={{
+        display: 'flex',
+        alignItems: 'center',
+        gap: '1rem',
+        padding: '0.75rem 1rem',
+        background: 'white',
+        border: '1px solid var(--border)',
+        borderRadius: '8px',
+        marginBottom: '0.5rem',
+      }}
+    >
+      <div style={{ flex: 1, minWidth: 0 }}>
+        <div style={{ display: 'flex', alignItems: 'center', gap: '0.5rem', flexWrap: 'wrap' }}>
+          <code style={{ fontSize: '0.95em' }}>{token.label}</code>
+          {scopes.map((s) => (
+            <span key={s} className="tag muted">
+              {s}
+            </span>
+          ))}
+          {isLegacy && (
+            <span className="tag warn" title="Legacy permission shape — re-mint at your earliest convenience.">
+              legacy
+            </span>
+          )}
+          {token.attachedTo.length === 0 ? (
+            <span className="tag muted" title="No agent group is currently using this token.">
+              orphan
+            </span>
+          ) : (
+            token.attachedTo.map((a) => (
+              <span key={a.folder} className="tag" title={`Attached as ${a.scope}`}>
+                {a.folder}
+              </span>
+            ))
+          )}
+        </div>
+        <div className="dim" style={{ marginTop: '0.25rem' }}>
+          {token.created_at && (
+            <span title={new Date(token.created_at).toLocaleString()}>
+              created {formatRelative(token.created_at)}
+            </span>
+          )}
+          {token.last_used_at !== undefined && (
+            <>
+              {' • '}
+              {token.last_used_at ? (
+                <span title={new Date(token.last_used_at).toLocaleString()}>
+                  last used {formatRelative(token.last_used_at)}
+                </span>
+              ) : (
+                <span className="dim">never used</span>
+              )}
+            </>
+          )}
+          {token.expires_at && (
+            <>
+              {' • '}
+              <span title={new Date(token.expires_at).toLocaleString()}>
+                expires {formatRelative(token.expires_at)}
+              </span>
+            </>
+          )}
+          {' • '}
+          <code style={{ fontSize: '0.78rem' }}>{token.id}</code>
+        </div>
+      </div>
+      <button
+        type="button"
+        className="secondary danger"
+        onClick={onRevoke}
+        style={{ background: 'white', borderColor: 'var(--error)', color: 'var(--error)' }}
+      >
+        Revoke
+      </button>
+    </div>
+  );
+}
+function resolveScopes(token: VaultToken): string[] {
+  if (token.scopes && token.scopes.length > 0) {
+    return [...token.scopes].sort();
+  }
+  // Legacy bridge: vault's `permission` field maps to scope set per
+  // parachute-vault/src/scopes.ts:24. Mirror the rule client-side so the
+  // table renders correctly during the back-compat window.
+  if (token.permission === 'full') return ['vault:read', 'vault:write'];
+  if (token.permission === 'read') return ['vault:read'];
+  return [];
+}
+// --- Attached-groups section ---------------------------------------------
+function AttachedGroupsSection({
+  attachedGroups,
+  onDetachClick,
+}: {
+  attachedGroups: VaultAttachedGroup[];
+  onDetachClick: (g: VaultAttachedGroup) => void;
+}) {
+  return (
+    <div className="section" style={{ marginTop: '1.5rem' }}>
+      <h3>Attached groups ({attachedGroups.length})</h3>
+      {attachedGroups.length === 0 ? (
+        <p className="muted">No agent groups are using this vault.</p>
+      ) : (
+        <div>
+          {attachedGroups.map((g) => (
+            <div
+              key={g.folder}
+              style={{
+                display: 'flex',
+                alignItems: 'center',
+                gap: '1rem',
+                padding: '0.75rem 1rem',
+                background: 'white',
+                border: '1px solid var(--border)',
+                borderRadius: '8px',
+                marginBottom: '0.5rem',
+              }}
+            >
+              <div style={{ flex: 1, minWidth: 0 }}>
+                <div style={{ display: 'flex', alignItems: 'center', gap: '0.5rem', flexWrap: 'wrap' }}>
+                  <Link to={`/groups/${encodeURIComponent(g.folder)}`}>
+                    <code style={{ fontSize: '0.95em' }}>{g.folder}</code>
+                  </Link>
+                  <span className="tag">{g.scope}</span>
+                  <span className="tag muted" title="The token label used to mint this attachment.">
+                    {g.tokenLabel}
+                  </span>
+                </div>
+                <div className="dim" style={{ marginTop: '0.25rem' }}>
+                  attached <span title={new Date(g.attachedAt).toLocaleString()}>{formatRelative(g.attachedAt)}</span>
+                </div>
+              </div>
+              <button type="button" className="secondary" onClick={() => onDetachClick(g)}>
+                Detach…
+              </button>
+            </div>
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}
+// --- Mint section ---------------------------------------------------------
+interface MintSectionProps {
+  name: string;
+  defaultLabel: string;
+  onMinted: (t: MintedVaultToken) => void;
+  onError: (message: string) => void;
+}
+function MintSection({ name, defaultLabel, onMinted, onError }: MintSectionProps) {
+  const [label, setLabel] = useState(defaultLabel);
+  const [scopes, setScopes] = useState<Set<string>>(new Set(['vault:read']));
+  const [expiresAt, setExpiresAt] = useState('');
+  const [busy, setBusy] = useState(false);
+  const toggleScope = (s: string) =>
+    setScopes((prev) => {
+      const next = new Set(prev);
+      if (next.has(s)) next.delete(s);
+      else next.add(s);
+      return next;
+    });
+  const onSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    if (!label.trim() || scopes.size === 0) return;
+    setBusy(true);
+    try {
+      const minted = await mintVaultToken(name, {
+        label: label.trim(),
+        scopes: Array.from(scopes),
+        expires_at: expiresAt ? new Date(expiresAt).toISOString() : null,
+      });
+      onMinted(minted);
+      setLabel(defaultLabel);
+      setScopes(new Set(['vault:read']));
+      setExpiresAt('');
+    } catch (err) {
+      onError(err instanceof Error ? err.message : String(err));
+    } finally {
+      setBusy(false);
+    }
+  };
+  return (
+    <div className="section" style={{ marginTop: '1.5rem' }}>
+      <h3>Mint new token</h3>
+      <form onSubmit={onSubmit}>
+        <div className="row">
+          <label htmlFor="mint-label">Label</label>
+          <input
+            id="mint-label"
+            type="text"
+            value={label}
+            onChange={(e) => setLabel(e.target.value)}
+            disabled={busy}
+            maxLength={64}
+            placeholder="agent-research"
+            required
+          />
+          <p className="dim">Identifier for revocation — alphanumeric + dashes, 64 chars max.</p>
+        </div>
+        <div className="row">
+          <label>Scopes</label>
+          <div style={{ display: 'flex', flexDirection: 'column', gap: '0.4rem' }}>
+            {BROAD_SCOPES.map((s) => (
+              <label key={s} style={{ display: 'inline-flex', gap: '0.5rem', alignItems: 'center', fontWeight: 400 }}>
+                <input
+                  type="checkbox"
+                  checked={scopes.has(s)}
+                  onChange={() => toggleScope(s)}
+                  disabled={busy}
+                />
+                <code>{s}</code>
+                <span className="dim">{SCOPE_HINT[s]}</span>
+              </label>
+            ))}
+          </div>
+        </div>
+        <div className="row">
+          <label htmlFor="mint-expires">Expires (optional)</label>
+          <input
+            id="mint-expires"
+            type="date"
+            value={expiresAt}
+            onChange={(e) => setExpiresAt(e.target.value)}
+            disabled={busy}
+          />
+          <p className="dim">Leave blank for never. Vault interprets the absence as no expiry.</p>
+        </div>
+        <div className="actions">
+          <button type="submit" disabled={busy || !label.trim() || scopes.size === 0}>
+            {busy ? 'Minting…' : 'Mint token'}
+          </button>
+        </div>
+      </form>
+    </div>
+  );
+}
+const SCOPE_HINT: Record<(typeof BROAD_SCOPES)[number], string> = {
+  'vault:read': 'read notes, search, follow links',
+  'vault:write': 'read + create/update/delete notes',
+  'vault:admin': 'write + token management + vault config',
+};
+// --- Minted token card ----------------------------------------------------
+function MintedTokenCard({
+  token,
+  copied,
+  onCopied,
+  onClose,
+}: {
+  token: MintedVaultToken;
+  copied: boolean;
+  onCopied: () => void;
+  onClose: () => void;
+}) {
+  const dialogRef = useRef<HTMLDialogElement | null>(null);
+  const [copyError, setCopyError] = useState<string | null>(null);
+  useEffect(() => {
+    const d = dialogRef.current;
+    if (d && !d.open) d.showModal();
+    return () => {
+      if (d?.open) d.close();
+    };
+  }, []);
+  const onCopy = async () => {
+    setCopyError(null);
+    try {
+      await navigator.clipboard.writeText(token.token);
+      onCopied();
+    } catch (err) {
+      setCopyError(err instanceof Error ? err.message : String(err));
+    }
+  };
+  return (
+    <dialog
+      ref={dialogRef}
+      onClose={onClose}
+      style={{
+        width: 'min(560px, 92vw)',
+        border: '1px solid var(--border)',
+        borderRadius: '12px',
+        padding: 0,
+        background: 'white',
+      }}
+    >
+      <form method="dialog" onSubmit={(e) => e.preventDefault()}>
+        <div style={{ padding: '1.25rem 1.5rem', borderBottom: '1px solid var(--border)' }}>
+          <h3 style={{ margin: 0, fontSize: '1.05rem' }}>Token minted — copy now</h3>
+          <p className="dim" style={{ marginTop: '0.4rem' }}>
+            Plaintext is shown <strong>once</strong>. The vault stores only a hash; closing this card
+            without copying means the token is unrecoverable.
+          </p>
+        </div>
+        <div style={{ padding: '1.25rem 1.5rem' }}>
+          <div className="row">
+            <label>Label</label>
+            <code>{token.label}</code>
+          </div>
+          <div className="row">
+            <label htmlFor="minted-token">Plaintext token</label>
+            <input
+              id="minted-token"
+              type="text"
+              readOnly
+              value={token.token}
+              style={{ fontFamily: 'monospace', fontSize: '0.85rem' }}
+              onFocus={(e) => e.currentTarget.select()}
+            />
+            <div className="actions" style={{ marginTop: '0.5rem' }}>
+              <button type="button" onClick={() => void onCopy()}>
+                {copied ? 'Copied ✓' : 'Copy to clipboard'}
+              </button>
+              <button type="button" className="secondary" onClick={onClose}>
+                {copied ? 'Done' : 'Close without copying'}
+              </button>
+            </div>
+            {copyError && (
+              <p className="error-banner" style={{ marginTop: '0.5rem' }}>
+                Couldn't copy: {copyError}. Select the value above and copy manually.
+              </p>
+            )}
+          </div>
+          {!copied && (
+            <p className="warn-banner" style={{ marginTop: '0.5rem' }}>
+              You haven't copied the token yet. If you close now, you'll need to revoke and mint a
+              new one.
+            </p>
+          )}
+        </div>
+      </form>
+    </dialog>
+  );
+}
+// --- Revoke modal ---------------------------------------------------------
+function RevokeModal({
+  name,
+  token,
+  onClose,
+  onError,
+}: {
+  name: string;
+  token: VaultToken;
+  onClose: (revoked: boolean) => void;
+  onError: (message: string) => void;
+}) {
+  const dialogRef = useRef<HTMLDialogElement | null>(null);
+  const [busy, setBusy] = useState(false);
+  useEffect(() => {
+    const d = dialogRef.current;
+    if (d && !d.open) d.showModal();
+    return () => {
+      if (d?.open) d.close();
+    };
+  }, []);
+  const onConfirm = async () => {
+    setBusy(true);
+    try {
+      await revokeVaultToken(name, token.id);
+      onClose(true);
+    } catch (err) {
+      onError(err instanceof Error ? err.message : String(err));
+      setBusy(false);
+    }
+  };
+  return (
+    <dialog
+      ref={dialogRef}
+      onClose={() => onClose(false)}
+      style={{
+        width: 'min(480px, 92vw)',
+        border: '1px solid var(--border)',
+        borderRadius: '12px',
+        padding: 0,
+        background: 'white',
+      }}
+    >
+      <form method="dialog" onSubmit={(e) => e.preventDefault()}>
+        <div style={{ padding: '1.25rem 1.5rem', borderBottom: '1px solid var(--border)' }}>
+          <h3 style={{ margin: 0, fontSize: '1.05rem' }}>
+            Revoke <code>{token.label}</code>?
+          </h3>
+        </div>
+        <div style={{ padding: '1.25rem 1.5rem' }}>
+          <p>
+            Revocation is <strong>one-way</strong>. Any agent group still using this token will
+            start failing immediately on its next vault call.
+          </p>
+          {token.attachedTo.length > 0 && (
+            <p className="warn-banner">
+              This token is currently attached to:{' '}
+              {token.attachedTo.map((a) => a.folder).join(', ')}.
+            </p>
+          )}
+          <div className="actions" style={{ marginTop: '1rem', justifyContent: 'flex-end' }}>
+            <button type="button" className="secondary" onClick={() => onClose(false)} disabled={busy}>
+              Cancel
+            </button>
+            <button
+              type="button"
+              className="danger"
+              onClick={() => void onConfirm()}
+              disabled={busy}
+            >
+              {busy ? 'Revoking…' : 'Revoke token'}
+            </button>
+          </div>
+        </div>
+      </form>
+    </dialog>
+  );
+}
+// --- Detach modal ---------------------------------------------------------
+interface DetachOutcome {
+  group: string;
+  revokedTokenId: string | null;
+  revokeError: string | null;
+}
+function DetachModal({
+  vaultName,
+  target,
+  onClose,
+  onError,
+}: {
+  vaultName: string;
+  target: VaultAttachedGroup;
+  onClose: (result: DetachOutcome | null) => void;
+  onError: (message: string) => void;
+}) {
+  const dialogRef = useRef<HTMLDialogElement | null>(null);
+  const [busy, setBusy] = useState(false);
+  useEffect(() => {
+    const d = dialogRef.current;
+    if (d && !d.open) d.showModal();
+    return () => {
+      if (d?.open) d.close();
+    };
+  }, []);
+  const detach = async (revokeToken: boolean) => {
+    setBusy(true);
+    try {
+      // Thread the narrow per-vault admin scope only when we're actually
+      // calling vault — Keep-token (revokeToken=false) just hits the
+      // parachute-agent-side agent:write check, which the broad re-auth set
+      // already covers. Asking for vault:<name>:admin on the Keep path
+      // would be a no-op extra scope on the consent screen.
+      const result = await detachVault(target.folder, {
+        mcpName: target.mcpName,
+        revokeToken,
+        authExtraScopes: revokeToken ? [`vault:${vaultName}:admin`] : undefined,
+      });
+      onClose({
+        group: result.group.folder,
+        revokedTokenId: result.revokedTokenId,
+        revokeError: result.revokeError,
+      });
+    } catch (err) {
+      onError(err instanceof Error ? err.message : String(err));
+      setBusy(false);
+    }
+  };
+  return (
+    <dialog
+      ref={dialogRef}
+      onClose={() => onClose(null)}
+      style={{
+        width: 'min(520px, 92vw)',
+        border: '1px solid var(--border)',
+        borderRadius: '12px',
+        padding: 0,
+        background: 'white',
+      }}
+    >
+      <form method="dialog" onSubmit={(e) => e.preventDefault()}>
+        <div style={{ padding: '1.25rem 1.5rem', borderBottom: '1px solid var(--border)' }}>
+          <h3 style={{ margin: 0, fontSize: '1.05rem' }}>
+            Detach <code>{target.folder}</code> from this vault
+          </h3>
+        </div>
+        <div style={{ padding: '1.25rem 1.5rem' }}>
+          <p>
+            Token <code>{target.tokenLabel}</code> minted as <code>{target.scope}</code>.
+          </p>
+          <p className="muted">
+            Choose what happens to the token. Detaching always removes the agent's vault MCP entry —
+            the difference is whether the token stays live on the vault.
+          </p>
+          <div className="actions" style={{ marginTop: '1rem', justifyContent: 'flex-end', flexWrap: 'wrap' }}>
+            <button type="button" className="secondary" onClick={() => onClose(null)} disabled={busy}>
+              Cancel
+            </button>
+            <button
+              type="button"
+              className="danger"
+              onClick={() => void detach(true)}
+              disabled={busy}
+            >
+              {busy ? 'Working…' : 'Detach + revoke'}
+            </button>
+            <button
+              type="button"
+              onClick={() => void detach(false)}
+              disabled={busy}
+              autoFocus
+              style={{ cursor: 'default' }}
+            >
+              Keep token
+            </button>
+          </div>
+          <p className="dim" style={{ marginTop: '0.75rem' }}>
+            <strong>Keep token</strong> is the default — silently revoking can wedge unrelated
+            callers. Use <strong>Detach + revoke</strong> when retiring a group.
+          </p>
+        </div>
+      </form>
+    </dialog>
+  );
+}